Aneesh Lal Gopalakrishnan stops an attack:
ASP.NET MVC and ASP.NET Core are traditionally some of the most used platforms to build financial web applications, such as banks and hedge funds. From a statistical standpoint, these platforms are trusted more than their counterparts, such as Express or NodeJS, for financial web applications. In addition, it is easier to fix CSRF issues in ASP.NET Core than in ASP.NET MVC because of the better tools and support available. We will investigate techniques to fix CSRF issues in ASP.NET MVC.
About 10-15 years ago, CSRF was one of the top threats (in 2007 and 2010, it was #5; in 2013, it was #8), but then it dropped off the list. The reason is that, basically every platform in existence put in anti-CSRF tokens automatically, so you rarely see it work anymore except for really old websites.